On Sat, Jul 22, 2017 at 6:38 PM, Victor Stinner <victor.stin...@gmail.com> wrote:
> Le 22 juil. 2017 8:04 AM, "Serhiy Storchaka" <storch...@gmail.com> a > écrit : > > I think the only reliable way of fixing the vulnerability is rejecting or > escaping (as specified in RFC 2640) CR and LF inside sent lines. Adding the > support of RFC 2640 is a new feature and can be added only in 3.7. And this > feature should be optional since not all servers support RFC 2640. > https://github.com/python/cpython/pull/1214 does the right thing. > > > In that case, I suggest to reject newlines in ftplib, and maybe add an > opt-in option to escape newlines. > > Java just rejected newlines, no? Or does Java allows to escape them? > > Victor > > OK, let's just reject \n then and be done with it. It's a rare use case after all. Java just rejects \n for all commands and does not support escaping (aka RFC 2640). -- Giampaolo - http://grodola.blogspot.com
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
